Re: decoder: 'DECODE_ICMP4_TYPE_OTHER' alert, false positive?

[Victor Roemer <vroemer () sourcefire com>]

Bram,

I'm not surprised to see this behavior, though that doesn't mean its
appropriate. Do you know if ICMPv6 is handled the same way?

I think it would be more useful to have individual alerts for "deprecated",
"reserved" etc.. I'll open a bug to address this annoyance.

Thanks

On Wed, Sep 4, 2013 at 9:10 AM, Bram <bram-fabeg () mail wizbit be> wrote:

> Hi,
>
>
> When should snort generate the 'DECODE_ICMP4_TYPE_OTHER' alert?
> Currently the alert is generated for some ICMP types that are defined by
> IANA and for which an RFC exist.
>
> Looking at the code shows that a list of 'known' (src/decode.h) ICMP types
> is used and that the alert is generated for all other ICMP types.
>
> The question tho: based on what was this list created?
> I see two options:
> * All defined ICMP types - at the time the code was written - were added
> * A subset of the defined ICMP types were added
>
> Personally I would expect to see the 'DECODE_ICMP4_TYPE_OTHER' for ICMP
> types that are completely unknown (not assigned by IANA/no RFC).
>
> But: there appears to be no documentation for this rule so I'm not sure
> what the expected/correct behaviour is...
>
>
> IANA list: http://www.iana.org/**assignments/icmp-parameters/**
> icmp-parameters.xhtml<http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml>
>
> Known by snort (OK)
> * Type 0 ? Echo Reply
> * Type 3 ? Destination Unreachable
> * Type 4 ? Source Quench (Deprecated)
> * Type 5 ? Redirect
> * Type 8 ? Echo
> * Type 9 ? Router Advertisement
> * Type 10 ? Router Selection
> * Type 11 ? Time Exceeded
> * Type 12 ? Parameter Problem
> * Type 13 ? Timestamp
> * Type 14 ? Timestamp Reply
> * Type 15 ? Information Request (Deprecated)
> * Type 16 ? Information Reply (Deprecated)
> * Type 17 ? Address Mask Request (Deprecated)
> * Type 18 ? Address Mask Reply (Deprecated)
>
> Unknown by snort:
> * Type 6 ? Alternate Host Address (Deprecated)
> * Type 30 ? Traceroute (Deprecated)
> * Type 31 ? Datagram Conversion Error (Deprecated)
> * Type 32 ? Mobile Host Redirect (Deprecated)
> * Type 33 ? IPv6 Where-Are-You (Deprecated)
> * Type 34 ? IPv6 I-Am-Here (Deprecated)
> * Type 35 ? Mobile Registration Request (Deprecated)
> * Type 36 ? Mobile Registration Reply (Deprecated)
> * Type 37 ? Domain Name Request (Deprecated)
> * Type 38 ? Domain Name Reply (Deprecated)
> * Type 39 ? SKIP (Deprecated)
> * Type 40 ? Photuris
> * Type 41 ? ICMP messages utilized by experimental mobility protocols such
> as Seamoby
>
> Other (OK)
> * Type 1 ? Unassigned
> * Type 2 ? Unassigned
> * Type 7 ? Unassigned
> * Type 19 ? Reserved (for Security)
> * Types 20-29 ? Reserved (for Robustness Experiment)
> * Types 42-252 ? Unassigned
> * Type 253 ? RFC3692-style Experiment 1
> * Type 254 ? RFC3692-style Experiment 2
>
>
> I expect/expected an alert only for the 'Other' list..
>
>
>
> This was detected because an ICMP message with type 37 was received (and
> an alert generated).
> It is unknown what system generated that particular ICMP packet...
>
> Just for reference:
>
> config:
>         dynamicpreprocessor directory /usr/lib/snort_**
> dynamicpreprocessor/
>         alert ( msg:"DECODE_ICMP4_TYPE_OTHER"; sid:418; gid:116; rev:1;
> metadata:rule-type decode; )
>         output alert_fast: stdout
>
> running it:
>         $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
> -r /tmp/icmp_37.cap 2>&1  2>&1 | grep 116
>         07/21-15:29:41.473279  [**] [116:418:1] (snort_decoder) WARNING:
> ICMP4 type other [**] [Priority: 0] {ICMP} 192.168.99.111 -> 10.10.10.10
>
> snort version:
>         $ snort -V
>            ,,_     -*> Snort! <*-
>         o"  )~   Version 2.9.5.3 GRE (Build 132)
>            ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/**snort-team<http://www.snort.org/snort/snort-team>
>                    Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>                    Using libpcap version 1.3.0
>                    Using PCRE version: 8.32 2012-11-30
>                    Using ZLIB version: 1.2.8
>
>
>
> Best regards,
>
> Bram
>
>
> ------------------------------**------------------------------**----
> This message was sent using IMP, the Internet Messaging Program.
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!